Catherine Murphy (Kildare North, Social Democrats) | Oireachtas source

I have also tabled an amendment seeking a sunset clause. I think there are probably several of them. If the general scheme is to supersede this legislation and other legislation, I would have thought it would be self-evident that a sunset clause would be a safeguard, which would be the minimum we would expect. It needs to be stated very clearly that if this Bill passes, we will be making mistakes. Many mistakes with this legislation can be foreseen and I will come back to those issues later but there will inevitably be mistakes in this Bill we will not see coming.

Yet, the shorter duration there is for this Bill, the less likely it is to manifest itself on a constant basis.

I will reiterate the point on scrutiny. This is not the way to do legislation. There has been no oversight of this Bill. That is not the fault of justice committee. It is not the fault of the Data Protection Commission, DPC, which did its level best within the time allowed. Truthfully, it has been shouting into the wind. The way the Department of Justice has handled the introduction of this legislation makes a mockery of the concept of oversight. There is no oversight.

Following the 2016 decision by the Court of Justice of the European Union, CJEU, it was clear that the way we were retaining data in Ireland was a complete breach of European law. In 2017, the Murray report found that the original 2011 Act amounted to the illegal mass surveillance of virtually the entire population of Ireland. A vast amount of private communications information is retained without the knowledge or consent of the people on whom it is being retained. The data shows who we speak to, where we are going and what we are interested in.

The Murray report also made a number of clear recommendations on how we should bring ourselves into line with the law. Those recommendations are not reflected in this Bill. In 2017, the justice committee conducted pre-legislative scrutiny of the general scheme of the 2017 draft Bill. It made a number of recommendations on how to bring the legislation in line with the law. Those recommendations are not reflected in this Bill.

After five years of successive Ministers for Justice essentially sitting on their hands, we are now in a position where emergency legislation is required. This Bill has been fast tracked through both Houses on the basis that it is an emergency. However, it is an emergency of both this Government's and the last Government's making.

This time around the Minister requested a waiver of pre-legislative scrutiny, attempting to circumvent the scrutiny of legislation that will affect the rights of every person in this State. That was not granted. Yet, from the Department’s point of view, it may as well have never happened, because nothing that was said at the meeting was reflected in the legislation. It was never going to be. The Bill was published last Friday, a day after the pre-legislative scrutiny. Committee and Report Stages are scheduled for tomorrow. There is clearly no intention to take on board the serious concerns raised by Members of this House.

It is concerning to see the disregard for the Data Protection Commissioner's role in being mandatorily consulted by the Minister for Justice under section 84(12) of the Data Protection Act 2018 - that is my reading of it - on any proposal for a legislative matter that relates to the processing of personal data. The Minister might confirm that.

The deputy Commissioner for Data Protection, Dale Sunderland, told the justice committee last Thursday that the DPC had received the general scheme of the Bill only eight days earlier. It had not yet submitted its observation to the Department, because the Department had advised that there were significant updates to be made. The DPC received an updated copy less than 24 hours before appearing before the justice committee and less than 48 hours before the Bill was published. The DPC had to brief the committee on its feedback on the general scheme which, at that point, was already outdated. It did not have enough time to prepare a response to the updated Bill. This is ridiculous stuff. This is the kind of thing that happens. We can pick the dates every year on which we are going to see this kind of thing. It tends to be two or three weeks before the summer recess, or just before the Christmas recess. It is almost like a management tool to get Bills that are unpopular or dangerous through at breakneck speed.

There was no meaningful consultation with the DPC at all. Sending it the Bill in advance is not consultation. This is a dangerous lack of oversight on this Bill relating to the State’s continued operation of the clearly illegal power for years after it was made known. It is damaging the rule of law. It is undermining prosecutions that can be thrown out on appeal because of the manner in which State has retained the information.

The Government has admitted that this Bill is not adequate. Another Bill will follow later this year. I would ask the Minister to ensure that the processes surrounding that Bill are sound, that stakeholders will be consulted and that recommendations from the Murray report and the justice committee are taken into account. We need to get an assurance from the Minister that that is how this will be handled when the general scheme comes before the committee and this House.

For this reason, I have submitted an amendment, as have others, in relation to the sunset clause. This is to ensure that the revision of the Communications (Retention of Data) Act 2011 is done in a timely manner. This Bill does not scratch the surface of what needs to be done in order to bring the data retention systems in line with EU law. It does not provide an explicit exemption for journalists, clear oversight mechanisms or compensation to persons whose rights have been violated. Critically, it does not ensure that prosecutions against criminal groups through the use of this data will not be thrown out on appeal. I say this because data that has been collected under this Bill will still be improperly collected.

Under the new section 3(a), one-year data retention orders are given out in all cases. This is completely against the ruling by CJEU that the duration of each data retention measure cannot be systemic in nature and that it must be limited in time to what is strictly necessary. Data retention orders need to be assessed individually. This system of blanket one-year retention orders that can be renewed indefinitely is completely out of line with EU law.

When it comes to the need to retain data for national security reasons, this Bill leaves out one fundamental detail, which is the definition of “national security”. By including a broad and undefined term, such as “national security”, the Bill again falls short of the court’s requirement of proportionality. It is clear under the European law that the legislation we adopt on data retention must have clear and precise rules governing the scope and the application of the data retention measures. It must be limited to what is strictly necessary. By not defining which events or acts constitute a threat to national security, we are granting An Garda Síochána an almost unlimited degree of discretion to determine what is threat to national security and whether that threat is serious enough to justify secret surveillance of individuals or groups. That situation is rife to abuse.

The Murray review was originally commissioned on the back of a discovery that Garda Síochána Ombudsman Commission, GSOC, had obtained the phone records of two journalists without their knowledge or consent as part of a criminal inquiry into a third party. It is, therefore, hard to comprehend why this Bill, five years on, fails to provide for the protection of journalists’ sources. It is a requirement under the European Court of Human Rights, ECHR, that surveillance that is aimed at identifying journalistic sources must go through a heightened screening process, including prior independent judicial approval, before any information that could identify a source is handed over, regardless of how urgent a situation is deemed to be.

The oversight mechanisms in this Bill are simply not up to scratch. The ECHR requires that all surveillance measures must operate under objective supervisory bodies that are completely independent of the authorities carrying out the surveillance and that they must have sufficient powers and competence to exercise effective and continuous control. Instead, we have a proposal for a designated judge who has no technical or legal expertise in the area of data protection, who has no administrative support, who has no power to suspend illegal surveillance, and who will only carry out this function on a part-time basis, once a year.

The Murray review found that there should be an appropriate judicial remedy for breaches of rights under a data retention system.

This is not included in the Bill. I have overall concerns that this Bill attempts to retrospectively validate the illegal retention of data contrary to EU law. Section 9 requires providers to continue to retain data that it is acknowledged is currently being held illegally. By doing so, it is retrospectively validating the illegal retention of data.

I understand there are a number of cases still come in relation to the retention of data under the 2011 Act, including one by Digital Rights Ireland, which also made a complaint to the Data Protection Commission, DPC, seeking it to take enforcement action against providers requiring them to delete data that has been retained illegally. Has the Attorney General given advice as to how this will not come into conflict with the Sinn Féin funds principle, which found that the State cannot legislate to determine something that is currently before the courts? It would also undermine the independence of the DPC by interfering with the power to act in relation to the pending complaint, contrary to Article 52 of general data protection regulation, GDPR.

The DPC has raised significant concerns with this legislation. It is simply not acceptable for the Department to have completely bypassed the DPC in the drafting of this Bill. In light of what it deems to be high risks to the rights and freedoms of data subjects under this Bill, the DPC stated very clearly that the Department should have conducted, and should still conduct, a data protection impact assessment with regard to the processing and provisions proposed. It is absolutely fundamental that this happens prior to the drafting of new legislation later this year, especially if the Government intends to retain the processes outlined in this Bill. The Minister might respond on her intention in that regard.

My final concern with regard to this Bill are the offences contained for service providers that do not comply with the legislation. It creates both a 72-hour and 90-day obligation on service providers, which are subject to a threat of sanction or offence if not complied with. The list of offences includes fines of up to €500,000 and five years' imprisonment. All of this was not communicated to service providers prior to the publication of the general scheme. They should have been consulted in advance to determine whether it was possible for the telecommunication companies to comply with the legislation within that tight timeframe. From Three's submission to the Joint Committee on Justice, it is quite clear that it cannot. Given that the Bill contains additional specified categories of data that need to be preserved, Three estimated it would take it between 12 to 18 months to set up the necessary IT projects. Presumably, the new legislation will be in place within that timeframe, which could very well contradict this Bill. Service providers need assurance that they will not face the threat of criminal sanction for non-compliance when there is simply no way they could comply at all. They also need assurances that they will not be spending money on new IT infrastructure, which they will have to scrap within a year when it is determined that this legislation does not actually conform to EU law.

There are serious concerns with the way the State collects data. It is illegal and infringes the rights of every single person in the State. I do not see any way in which this Bill remedies that situation. However, I see several where it actually makes matters worse. I have absolutely no doubt that we will be in this Chamber in a number of months correcting the mistakes in this legislation and it will have been an absolute waste of everyone's time and effort. I ask the Minister to introduce this sunset clause. That is the very minimum we should expect. Very often, there is a presumption that domestic law trumps EU law in all situations and that is not the case. Our Data Protection Commissioner has a particularly important role given where we are positioned in terms of how the office of the Data Protection Commission relates to other jurisdictions across Europe. I really think we are treating that office which a great deal of disrespect. It is not just disrespect but contempt in terms of not including it in the process by merely sending it a copy of the Bill and that being taken as consultation. It is just not good enough. There is no doubt that mistakes will be made, of which we will see the result before the new Bill appears before us. Hopefully, that will come sooner rather than later.

See this speech in context